Bugtraq mailing list archives
Expedia Product Security Advisory: Cruise Ship Centers Information Disclosure
From: Mike Sheward <msheward () expedia com>
Date: Fri, 5 Jun 2015 21:08:50 +0000
Expedia Product Security Advisory on 6/5/2015 Product: Expedia CruiseShipCenters (CruiseShipCenters.com) Vulnerability Type: Insecure Direct Object Reference Impact: Unauthorized Information Disclosure Credit: Paul O¹Neil, IDT911 Consulting (http://idt911.com/) Background: During the booking finishing process with Expedia Cruise Ship Centers it was discovered that a GET parameter (namely Œctoid') found in the following URL, could be modified to disclose information regarding other users of the application who had previously made a booking: https://cruise.expedia.com/Book/Payment5.aspx Once the issue was remediated, an investigation by the Expedia Incident Response team determined that we have no reason to believe this vulnerability was maliciously exploited. Remedition Timeline: Initial Discovery by Mr O'Neil: 5/27/15 Initial Response and Investigation by Expedia Incident Response: 5/27/15 Issue Confirmed Remediated: 6/3/15 Expedia Policy on Responsible Disclosures: Expedia, Inc. and its affiliated businesses encourage users to report vulnerabilities discovered on any of our Internet sites. If you think you have discovered a vulnerability in the Web application code on any of our sites, please send us an email via respdisc () expedia com with the following information: * Date and time of discovery * Specific code * Proof of concept exploit information We appreciate your willingness to participate in our efforts to keep Expedia safe and secure, and will publicly acknowledge your contributions. The scope of this program is limited to Expedia-owned Web applications, including Hotels.com, Hotwire.com, Expedia CruiseShipCenters, Venere.com, Egencia.com, and VIA.com. Thank you, Mike Sheward Enterprise Information Security Director, Security Operations Center and Security Incident Response Expedia, Inc.
Current thread:
- Expedia Product Security Advisory: Cruise Ship Centers Information Disclosure Mike Sheward (Jun 08)